CIOs Cope with Personal iPads and Smartphones on Secure Networks

As these user-friendly devices become intertwined with the average person’s daily habits, public CIOs are responding with formal policies.

Though Nebraska discourages personal devices due to the potential for making sensitive data vulnerable and the risk of litigation over improper downloads, even state CIO Brenda Decker acknowledges the benefits of allowing them.

Montgomery County, Md., CIO Steve Emanuel likes using his iPad at work, and may use some funding to see if personal devices could reduce his maintenance staff’s workload.

With dazzling gadgets like iPads and Androids flooding the market, people who weren’t techies before are becoming geekier by the year. And CIOs get it. They know that a growing percentage of the government work force is conducting business on personal mobile devices.

As these user-friendly devices become intertwined with the average person’s daily habits — both business and personal — public CIOs are responding with formal policies. But not all agencies agree on whether to embrace or discourage the use of personal devices at work.

Nebraska, for instance, discourages them due to the potential for making sensitive data vulnerable and the risk of litigation over improper downloads. Yet even state CIO Brenda Decker acknowledges the benefits of allowing personal devices on the secure government network.

“We understand there is a cost advantage,” said Decker, pointing out that agencies could have fewer devices to buy if employees used their own. “There is also a convenience advantage to the employee,” she said. “I carry two devices — one for personal use, one for state use — and I have to be very cautious that my family understands this is my state device.”

Nebraska agency directors can approve the use of personal devices on a case-by-case basis.

“A lot of our employees look at it and see that they may have a dental appointment from 8 to 9 in the morning, but if they can sit in the doctor’s office with their personal PC and get that work done [or] put in an extra hour in the evening to make up the time — that’s advantageous to both the state and the individual,” Decker said. “We see there are some advantages. We just feel we have to be cautious about the data that’s going back and forth.”

Decker is right about the cost advantage. A pilot project that subsidizes data plans on personal devices for employees in the Delaware Department of Technology and Information already has produced tangible savings.

“We’ve seen about a 20 percent reduction in our wireless costs and an 18 percent reduction in the number of state-owned devices in that department,” said William Hickox, Delaware’s chief operating officer. His staff recently submitted findings to the governor and recommended taking the policy statewide. Hickox predicts that Delaware could save roughly $2.5 million annually.

Still, these policies raise plenty of questions for agency managers and IT leaders. Among them: Should agencies subsidize data plans for employees’ personal devices, since employees likely would purchase them anyway? Who will handle the workload of securing the numerous types of devices that employees are likely to bring to work? Should the help desk be expected to support those devices?

As long-term budget shortages force public CIOs to create a new normal, many are considering a switch to personal devices as part of that evolution. Like any policy decision, determining the role of personal devices in the government workplace will bring its share of challenges, benefits, unintended consequences and implementation approaches.

They’re Doing it Anyway

When Apple CEO Steve Jobs introduced the iPhone in 2007, he promised a cultural shift that would centralize all computing needs onto one mobile device. To an extent, Apple delivered on that lofty goal and devices like the iPhone and the iPad became wildly popular. Resistance became somewhat futile.

In other words, public CIOs are recognizing that employees will attempt to use their shiny new devices regardless of the rules. Delaware succumbed to that inevitability in 2010 when it launched a set of security policies for personal devices, mostly smartphones, to safely access the secure state network. Despite the state offering agency-sponsored BlackBerrys, a portion of the work force insisted on using personal devices and accessed the network without formal approval. Not surprisingly, this made Delaware Chief Security Officer Elayne Starkey apprehensive.

“I’m sleeping easier at night because I know that, as of Nov. 15, we have closed a significant vulnerability,” Starkey told Government Technology last year.

Since then, attitudes have evolved in Delaware. The Department of Technology and Information’s subsidy policy creates a financial incentive for employees to use their personal mobile devices. If the pilot goes statewide, employees who are willing to turn in their state-issued devices will be reimbursed up to $30 per month for data plans on their personal smartphones.

Hickox said there was extensive debate about whether the state should pay for data plans that employees would probably purchase themselves. Simple cost savings settled the argument. Most state agencies pay $80 to $90 for each BlackBerry, Hickox said. Under his proposed change, employees would pay for their own devices, voice plans and associated taxes. The state would merely cover the $30 data plan. If state business increases the bill for an employee’s voice plan, the state will kick in an extra $10. Hickox said his team is careful to call the money a “reimbursement,” not a stipend, because a stipend counts as taxable income. Employees turn in their receipts each month for the reimbursement.